Connect with us

Hi, what are you looking for?


Email Security

Email – The System Running Since 71’

Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.

Securing Email

Email has been around a long time. My early days of remote communication started in the “You’ve got mail” era, with AOL dominating the US market share of dial up internet as well as email.  Other free email services emerged, and companies looking to expand globally saw email as a cheaper and quicker communication tool to conduct business.  In the Early 2000s, it was common to see companies host their own internal email servers, often managing users through Active Directory, the dominate Identity and Access management tool at the time. Linux alternatives existed, however was limited to companies who could hire dedicated support to keep those systems running. One important thing to know is that email was not initially designed with security in mind. Since the very early versions of email dating back to the 1980s, we have been retrofitting new types of security on top of existing versions to adapt to modern technologies and protocols.  However, many email configurations are purposefully designed to be backwards compatible which can often weaken an organization’s security posture.

In the modern evolution of email, we see that many organizations have switched to using “managed email” as a service provider. Common ones that stand out are Office365 by Microsoft, Gsuite by Google, Zoho workplace by Zoho. All of these services allow for maximum uptime and availability, while minimizing the cost of hardware and allowing for quick scaling across number of users. In addition to large providers, there are countless smaller providers who often bundle web hosting and email together, like Go Daddy or Bluehost, with a reduced feature set.

From corporate finances to daily tasks, many businesses rely on email to keep things running. It’s one of the few cross-business communication tools we have in place, other than phone or physical mail. It’s also one of the most targeted and successfully compromised systems in the world today. I’ll explain best practices on email, as well as common pitfalls in configuration.

Hosted vs. SaaS

Managed providers can offer varying levels of service at different price points. Most people would agree that using a managed provider outweighs the risk of hosting email within your business. You don’t have to worry about patching, taking a servicer down for maintenance, replacing certificates, or archiving mail to long term storage. A consideration that users should be aware of is the far-reaching implications of having access to one’s email. Email access often is connected with many other corporate tools through third party connections and processes. Some examples might include purchasing software, financial tracking, logistics, or private code repositories. This essentially provides a one stop shop for a malicious user to gain access to multiple systems at once.

Unfortunately, leaked passwords are still one of the most common ways malicious actors get into email. Password dumps are when commonly used websites containing user information are compromised, and the database of passwords were stolen. Actors will either sell or post these emails and passwords on public sites. The major problem here is not that the website was hacked, but that many users reuse the same passwords across other websites. This means a user could have the same password on a website as their corporate email. When this happens, all it takes is for an attacker to try the same password combination across multiple services until they get access.

Small details make a big impact

Advertisement. Scroll to continue reading.

The biggest benefit with managed email providers is their willingness to implement security seriously and adapt to an organization. Typically, by default, these providers offer basic protection and enable most encryption features. Some other basic protection might include spam filtering and malicious URL filtering, and common settings around SPF, DKIM and DMARC. However, the users have the ability to override default settings, and may not understand the consequence. One example is changing the settings to increase compatibility across older devices or software, protocols known as POP3 and IMAP. These systems allow for email to be downloaded and replicated to a compatible device; however, the authentication mechanism only uses a username and password, and does not necessarily need to be sent over an encrypted channel.  These open you up to a few weaknesses that you may be unaware of.

1) Password spraying – Guessing the passwords for users over months or years without any lockout period

2) Lack of MFA – These protocols do not support multifactor authentication

3) Lack of Encryption – These features may not support encryption in transit.

There are hundreds of settings that can have far reaching consequences. I encourage administrators to understand the settings through the service that they procure.  To further protect email, some new security vendors are parsing emails to look for pig butchering or invoice scams, which look for behavioral clues compared to a standard baseline that an organization might have. These can help layer on protection to prevent fraud or deception early, often targeted towards certain users (such as your CEO or CFO).  

Email continues to be the communication tool of choice with over 125 billion exchanged every day and Forcing users to use MFA can prevent 99.9% of attacks. Even with other remote tools growing in popularity, such as Slack and Zoom, we continue to see email as the dominate player in the communication space. Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.

Written By

Matt is the current Head of Security and Compliance at Forward Networks. He is a security leader and has a background in the areas of threat intelligence, networking, system forensics and discovery, enterprise security auditing, malware analysis and physical security. He is an industry speaker, author, and frequent security podcast guest. Matt also holds a US granted patent, multiple US Government awards and was selected as a one of Silicon Valley Business Journal 40 under 40.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...